Chapter 7 - Malicious Software
6.1 'What are three broad mechanisms that malware can use to propagate?' · Infection of existing viruses that are then spread to other systems · Exploit software vulnerabilities by worms or drive-by downloads to replicate malware · Social engineering attacks that convince users to install programs or respond to phishing attacks 6.2 'What are four broad categories of payloads that malware may carry?' ' ' · Corruption of system or data files ' ' · Theft of service to make a system a zombie agent of attack as a part of a botnet ' ' · Information theft such as logins, passwords and person details by keylogging or spyware ' ' · Stealth where malware hides its presence on the system from attempts to detect and block it ' ' ' ' 6.3 'What characteristics of an advanced persistent threat give it that name?' ' ' · Advanced: attackers will employ highly advanced methods and tools to breach a target system or network · Persistent: attacker is patient, in which he will continue the attack for however long a successful breach requires · Threat: attackers have many known vulnerabilities that require attention 6.4 'What are typical phases of operation of a virus or worm?' · Dormant phase: virus is inactive on the system, waiting for a trigger · Propagation phase: virus is replicating upon the target system by implanting copies of itself in user files and programs · Triggering phase: virus is activated to perform the function for which it was intended · Execution phase: function is performed 6.5 'What is a blended attack?' ' ' · An attack that uses multiple methods of infection to maximize the speed of contagion and severity of attack 6.6 'What is the difference between a worm and a zombie?' ' ' · A worm is a program that seeks more machines to infect exploiting software vulnerabilities, shared media and network connections · A zombie is a compromised system that can be used for malicious tasks using a remote connection ' ' 6.7 'What does “fingerprinting” mean for network worms?' · Search for other systems to infect. Identify potential systems running vulnerable services 6.8 'What is a “drive-by-download” and how does it differ from a worm?' ' ' · Drive-by download is exploiting vulnerabilities in a browser so that when a user views a web page or HTML e-mail message controlled by an attacker, it contains code that exploits the browser bug to download and install malware on the system · A worm is a program that actively seeks out more machines to infect, then each infected machine serves as an automated launching pad for attack on ther machines. 6.9 'How does a Trojan enable malware to propagate? How common are Trojans on computer systems? Or on mobile platforms?' · A trojan is a program containing hidden code, which executes to perform its attack. Trojans can be used to accomplish functions indirectly. Trojans can have also been used to target mobile phones 6.10 'What is a “logic bomb”?' · A logic bomb is embedded code in the malware to explode when certain conditions are met. Once triggered the bomb can alter or delete data and even cause the machine to halt 6.11 'What is the difference between a backdoor, a bot, a keylogger, spyware, and a rootkit? Can they all be present in the same malware?' · A backdoor is a piece of software that allows access to the computer system by bypassing normal authentication procedures · A bot is remotely controlled malware program installed onto a computer without knowledge of the user. The program may have complete control over the operations of computer and internet functions · Keylogger is a software that captures keystrokes on the infected machine. They implement filtering mechanisms. · Spyware is software that collects information from a computer and sends it to another system · Rootkit is a set of programs installed on a system to maintain access with admin privileges while hiding its presence · Yes. 6.12 'What is the difference between a “phishing” attack and a “spear-phishing” attack, particularly in terms of who the target may be?' · In phishing, emails are general and distributed to a large number of users. Spear-phishing claims to be from a trusted source and email is more carefully crafted because target is researched. 6.13 'What is a clickjacking vulnerability?' ' ' · Clickjacking is a vulnerability used by an attacker to collect an infected user’s clicks. 6.14 'List a few characteristics to classify rootkits.' ' ' · Persistent, memory based, user mode, kernel mode 6.15 'Describe some rootkit countermeasures.' ' ' · Host-based IDSs and host-based antivirus can be used to look for signatures of known rootkit attacks ' ' · File integrity check ' ' · If kernel-level rootkit is detected it is best to reinstall new OS on the infected machine